Alexa is Not Even Remotely Secure and Really I Don't Care

Forty-eight Cadbury Creme Eggs are en route to my house and it’s all Alexa’s fault.

Alexa is the incredibly useful voice assistant embedded into Amazon Echo – the company's smart home device that is still yet to make it out of the US. It gives you the weather as you stumble to the bathroom in the morning, and the news as you stumble back to your bedroom. It plays smooth jazz for your dog when you’re away and sets timers for your roommate when she’s baking. It turns off lights and it lets you order the Amazon Echo Dot with a simple request.

And today it let my roommate order forty-eight Cadbury Creme Eggs on my account. Despite me not being home. Despite us having very different voices.

Alexa is burrowing itself deeper and deeper into owners’ lives, giving them quick and easy access not just to Spotify and the Amazon store, but to bank accounts and to-do lists. And that expanded usability also means expanded vulnerability.

Devices that currently use Alexa — the Amazon Echo and Amazon Fire TV — can’t tell the difference between voices. Which means anyone who has access to your home has access to every single account you’ve linked to Alexa. Kids can reorder their favourite sweets, friends can inquire about your bank balance, and roommates can waste your money on a lark.

Those risks are the cost of embracing the Internet of Things. In the pursuit of convenience we have to sacrifice privacy...and hope guests aren’t tacky enough to ask our live-in robot about our bank balance.

Apart from Alexa’s willingness to do whatever anybody asks, it’s actually fairly secure. I spoke with Robert Graham from Errata Security, a security consultant agency, and he said that as an IoT device Amazon has “done a fair job securing the device with no obvious backdoors”.

“However,” he warned, “that can easily change on their next software update.”

The real concern for a lot of people, Graham noted, isn’t security as much as it’s privacy. Alexa devices include microphones that are always on, listening. It’s like willingly bugging your own home and hoping no one tunes in.

Alexa’s ability to listen and record isn’t quite as terrifyingly intrusive. Amazon insists that it only sends records of what it heard back to headquarters when it hears the activation command, “Hey Alexa”.

“It’s likely that laws will be passed that will allow the police to remotely activate these devices and eavesdrop on suspects,” Graham says, “pretty much as described in the book 1984”.

Maybe it’s growing up with law enforcement personnel for parents, or maybe it’s because I’m painfully mindful of how boring my home life is, but I don’t especially care. Like, I’d like to. I know a lot of people who genuinely value their privacy, but I was confessing major lusts in AOL chatrooms in my early teens, detailing personal tragedies on LiveJournal in my late teens, and announcing my bowel movements on Facebook in my 20s.

I, and many people in my generation and younger, do not value privacy. We willingly sacrifice it, often for popularity on social networks. And now for convenience sake within the Internet of Things.